The 5 Most Landmark OCR Settlements in 20 Years of HIPAA

When HIPAA was first enacted in 1996, few people could have anticipated the shock waves that this landmark regulation would send across the health care industry.

Over the course of 20 years, the regulation has changed considerably to account for national conversations surrounding the integrity, privacy, and security of patients’ health information.

In addition to changes in the regulation itself, HIPAA enforcement by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has also undergone dramatic shifts in scope and focus. When HIPAA was first passed, there were no enforcement rules in place. It was a serious piece of regulation that had no teeth, and because of that, its standards were adopted slowly.

That didn’t change until 2000 when the HIPAA Privacy Rule was issued. With the Privacy Rule in place, OCR was formally given the mandate to police HIPAA compliance across the health care industry.

Since then, enforcement has become an increasingly sensitive issue for health care entities operating under HIPAA. In the past three years especially, government fines have skyrocketed. OCR has identified wide-spread non-compliance as a major issue across the health care industry. These upticks in fines are just the beginning of a new era of HIPAA enforcement.

To better understand the changing world of enforcement, we discuss some of the most significant settlements in the history of HIPAA, below. These five settlements give insight into enforcement trends that we can expect will continue in the years ahead.

The Advocate Health case is both the most recent and most expensive HIPAA settlement that OCR has ever received. The massive, $5.55 million fine was levied in response to multiple data breaches that began back in 2013. These breaches affected almost 4 million individuals.

In OCR’s release about the settlement, Director Jocelyn Samuels commented: “covered entities […] must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

This settlement is a particularly serious example that proves just how far OCR is willing to go to punish organizations that willfully neglect the integrity of their patients’ PHI.

Not every settlement these days has affected major health care organizations and millions of patients. The Beck breach only affected 5,600 individuals. But because of the extent of the HIPAA violations, Dr. Beck, a dentist based out of Indiana, had his license to practice permanently revoked.

OCR has shown time and again that they will modify their punishments and fine schedule to suit the particulars of individual investigations. The Beck case is so important because it proves that federal regulators can exact harsh punishments on health care organizations of any size, without precedent.

3. Triple-S, December 2015, $3.5 million fine

This $3.5 million fine is one of the highest settlements that OCR has ever issued. Triple-S is a management company that was fined on behalf of its three subsidiaries that violated HIPAA regulation.

As an insurance company based out of Puerto Rico, Triple-S represents an unlikely target for an OCR investigation. But this case proves that OCR enforcement efforts have changed drastically from the early days when most investigations were into large hospitals and medical organizations. Triple-S sets the precedent for investigations into non-domestic organizations that mishandle PHI, fail to execute Business Associate Agreements, or fail to conduct Risk Assessments.

This relatively small fine was levied in the first settlement that OCR ever issued in response to a breach of unsecured ePHI that affected fewer than 500 individuals. This is a clear example of OCR enforcement in response to a small-scale breach being handled in the same way as some of the larger-scale breaches we’ve already discussed.

When it comes to enforcement, a breach of PHI because of organization-wide non-compliance is viewed similarly regardless of the size of the breach. HIPAA regulation holds that the integrity of patient health records is standard. Any time that PHI is mishandled or breached is a serious incident in the eyes of government regulators, and this case proves that they’ll respond as they see fit.

5. Philadelphia CHCS, June 2016, $650,000 fine, 412 affected

Philadelphia Catholic Health Care Services is perhaps the most significant organization on this list that has reached a settlement with OCR because it represents the first time that a Business Associate has been fined for non-compliance. Even though Business Associates have been beholden to HIPAA regulation for years, this is the first instance of a PHI breach by a BA that has yielded a full OCR investigation and fine.

Many Business Associates have eschewed the regulatory requirements of HIPAA because they’ve assumed that they were safe from an OCR investigation. If this case proves anything, it’s that the scope of HIPAA enforcement has come to encompass the full spectrum of HIPAA-beholden organizations–Covered Entities and Business Associates alike.

Things to come…

6. Anthem, February 2015, Fine TBD, 78.8 million affected

The Anthem breach affected almost 80 million Americans PHI in February of 2015 and sent the health care industry spinning. Even though the Anthem breach occurred last year, the OCR investigation has yet to conclude. We couldn’t include it on our list, but it deserves an honorable mention for the sheer volume of patients affected and the certain impact it will have on the future of HIPAA enforcement.

If and when OCR decides to issue a settlement, it’s very likely going to include the largest fine in the history of enforcement. The OCR fine schedule for violations ranges from $100-$50,000 per incident, so the stage is set for a serious settlement involving millions of dollars and a huge publicity.

Compliancy Group allows anyone to simplify the growing challenges of HIPAA compliance, whether they are an experienced health care professional with compliance expertise or a front desk manager without any formal training. The Guard is our simple, cost-effective, web-based solution that can help any organization regulate and monitor all aspects of their HIPAA compliance throughout their entire practice. With Compliancy Group, you’ll be guided by our team of expert Compliance Coaches to Achieve, Illustrate, and Maintain compliance with confidence under the full spectrum of HIPAA, HITECH, Omnibus, and PCI regulations.